-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[Sorry, fat fingered the send key on the prior post.]
Hi Steve,
I'm curious about the market status quo and trends in the area of
how network IDS/IPS products are dealing with layer 3/4 evasion
techniques (a la Ptacek & Newsham: ambiguous segmentation &
fragmentation, ttl tricks, etc.). The Handley/Paxson/Kreibich paper
from Usenix01 lists three approaches (not counting "use a host-based
IDS" :-) ):
1. inline normalization
2. profiling the intranet and using target-specific algorithms
3. bifurcating analysis
From what I've read, Snort is going route #2, with the Sourcefire
RNA system doing the profiling.
- Is there any public information regarding which approach (if any)
other commercial systems are using?
As far as I can tell most of the commercial systems that are available
today use static configuration for layer 3/4 anti-evasion where they
allow configurability at all. Some of the vendors appear to be taking
advantage of the fact that they run inline to perform some level of
normalization but for the most part commercial systems don't allow you
to do very much at all, especially not in a way that reflects the
dynamic nature of the networks in which the devices are installed.
- Does Snort's decision indicate any sort of consensus that #2 is
the best approach, or would that be considered controversial?
(Clearly #3 isn't practical as a general technique, but the Handley
paper seems to make a good case for #1.)
Nope, it reflects my bias. :) My bias is based on my experiences of
the past 10 years as well as the realities associated with deploying
these technologies, so there is a decent amount of thought behind them.
I'll comment on the methods.
1) Inline normalization
* Pros: Removes traffic anomalies so the codepaths for anti-evasion
mechanisms are simpler. One scrubber allows all devices behind it to
enjoy a normalized packet stream. Doesn't have to care about or track
the network it's protecting so the normalization technology is simpler
and, in theory, very robust.
* Cons: Deploying an inline device has very different requirements for
uptime, latency and performance across the device than the passive
devices it's aiding. Some organizations react very negatively to
introducing inline packet mangling devices. Packet scrubbers can also
interfere with some useful functions like passive OS fingerprinting.
Provides no coverage for evasive attackers behind the device.
2) Network profiling and context-based analysis
* Pros: Doesn't require an inline device and concomitant political/
technical signoff. Able to profile all devices continuously (assuming
optimal deployment) and dynamically update IDS/IPS. Gathered
information has uses beyond just straight anti-evasion.
*Cons: Getting full coverage of the network can be challenging. Bad
profiles skew the anti-evasion models. Data management and
communication can be a challenge. Network traffic analyzers have to
be modified to work with the data produced by the context generator.
3) Bifurcation.
Well, suffice to say I just think bifurcation is a bad idea.
- Do you all feel that existing approaches (like Snort's, or perhaps
some commercial implementation of #1) are adequate, or is there a
need for a more robust solution?
I think that the methods we've deployed in Snort and the ones we're
working on for the next generation of Snort engine are certainly
adequate. It seems to me that evasion is moving much more heavily to
layer 7 anyway so perhaps it's a moot point.
-Marty
- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
iD8DBQFHglUMqj0FAQQ3KOARAmlXAJsEAc1NJVDlJDk9iM6O5Yvafl5xWwCdGsQX
U9zPQiogku74Q0gPgvs63Ns=
=dbz7
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
